AI Compliance Tools for Insurers: Colorado SB 21-169, NAIC, NYDFS, and California

AI compliance tools for insurers have to handle four overlapping regimes that have all matured between 2023 and 2026: Colorado's SB 21-169 insurance-AI rules (and the now-delayed broader SB 24-205), the NAIC Model Bulletin adopted by 24+ states, NYDFS Insurance Circular Letter No. 7, and California CDI's guidance on AI in utilization management. The throughline is the same: insurers must demonstrate that their AI does not produce unfair discrimination, and they must document the testing and governance behind that demonstration.

This guide is the practical map.

Colorado SB 24-205: the broader AI law (delayed and contested)

Colorado Governor Jared Polis signed SB 24-205, the Colorado Artificial Intelligence Act, on May 17, 2024 (Colorado General Assembly). The original effective date was February 1, 2026.

On August 28, 2025, Polis signed SB 25B-004 delaying all operative dates by five months, to June 30, 2026 (WaterStreet Company).

Current status as of May 17, 2026. In an order dated April 27, 2026, a Colorado Magistrate Judge ordered the Colorado Attorney General not to enforce SB 24-205 until final adoption of implementing regulations. As of May 2026, the AG has not formally initiated rulemaking. Enforcement is not expected before 2027 (Littler).

On May 1, 2026, Colorado introduced S.B. 26-189, which would amend SB 24-205 and require the AG to adopt implementing regulations by January 1, 2027 (Littler).

For insurers specifically, SB 24-205 contains a safe harbor: an insurer is in full compliance with the Act if it is subject to the insurance-specific AI regulation under C.R.S. § 10-3-1104.9 (Colorado SB 21-169) (Colorado General Assembly). That carve-out is the most important provision for insurance compliance teams. It means insurers can focus on SB 21-169 and not worry about parallel SB 24-205 obligations, provided they remain in SB 21-169's scope.

Colorado SB 21-169 / C.R.S. § 10-3-1104.9 (the one that actually matters)

Colorado SB 21-169, effective January 1, 2023, and its implementing regulations under C.R.S. § 10-3-1104.9 prohibit insurers from using external consumer data sources (ECDIS) and predictive models that result in unfair discrimination. The core requirement is quantitative testing for disparate impact, even for facially neutral models (WaterStreet Company).

Initially the law applied to life insurers only. As of October 15, 2025, the scope expanded to private passenger automobile insurance and health benefit plans (WaterStreet Company).

Key operational implications:

• Carriers without documented governance programmes and quantitative bias-testing processes under § 10-3-1104.9 are operating out of compliance today. This is not a future law for in-scope carriers; it is a now-law (WaterStreet Company).
• Bias testing must cover protected classes specifically. The Division of Insurance has clarified expectations around race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, gender expression.
• Documentation requirements include data sources used, model methodology, testing protocols, and remediation actions when disparate impact is identified.

For insurers that operate across multiple states, the Colorado regime is the de facto floor. It has the most prescriptive technical requirements of any state insurance-AI rule. Building a Colorado-compliant programme typically satisfies the related NAIC Model Bulletin expectations in other states without major re-work.

NAIC Model Bulletin (24+ states and counting)

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers was adopted on December 4, 2023 (VerifyWise).

As of March 2025, 24 states had adopted the Model Bulletin with little or no material change (Quarles & Brady / InsureReinsure). As of early 2026, over half of all states have adopted the bulletin or substantially similar guidance (WaterStreet Company).

The verified adopter list (March 2025)

Alaska, Arkansas, Connecticut, Delaware, District of Columbia, Illinois, Iowa, Kentucky, Maryland, Massachusetts, Michigan, Nebraska, Nevada, New Hampshire, New Jersey, North Carolina, Oklahoma, Pennsylvania, Rhode Island, Vermont, Virginia, Washington, West Virginia, Wisconsin (InsureReinsure).

What the bulletin actually requires

Insurers must adopt a written AIS Program covering:

• Governance. Documented policies, cross-functional roles, senior management oversight.
• Risk management and internal controls. Proportional to the Degree of Potential Harm (low/medium/high) the AI poses.
• Testing and validation. For errors, bias, and unfair discrimination.
• Third-party vendor oversight. Including diligence and audit rights when AI is sourced from vendors.
• Documentation and regulatory cooperation. Insurers must be ready to provide their AIS Program documentation to regulators on request (VerifyWise).

The 12-state NAIC AI Systems Evaluation Tool pilot

Beginning March 2026, 12 participating states are piloting an NAIC AI Systems Evaluation Tool, a structured framework for examiners to review insurer AI governance programmes during market conduct examinations. The pilot runs January through September 2026 (WaterStreet Company / Plante Moran).

For any insurer operating in those 12 states, expect formal AI examinations during 2026. The pilot exam tool standardises what regulators ask for. Build your AIS Program documentation to that template.

NYDFS Insurance Circular Letter No. 7 (2024)

The New York Department of Financial Services released Insurance Circular Letter No. 7 on July 11, 2024. It is not new legislation. It is NYDFS's formal statement of how existing New York insurance law applies to AI (NYDFS).

Scope

Applies to all insurers authorised in New York State using AI Systems (AIS) or External Consumer Data and Information Sources (ECDIS) for underwriting and pricing. Does not apply to claims handling, marketing, or fraud detection. Also excludes Child Health Plus, Essential Plan, and Medicaid managed care (NYDFS).

The core fairness rule

Insurers should not use ECDIS or AIS unless they can establish the model and data do not use, and are not in any way based on, any class protected under New York Insurance Law Article 26 (NYDFS).

That is a strong bar. "In any way based on" closes the common workaround where insurers exclude a protected class as a direct input but allow proxies (zip code, occupation, education level) to do the same work.

The three-step discrimination assessment

Insurers must perform an annual three-step assessment:

1. Assess disproportionate adverse effects.
2. Assess legitimate lawful rationale where adverse effects exist.
3. Search for a less discriminatory alternative.

Approved quantitative metrics include Adverse Impact Ratio, Denials Odds Ratios, Marginal Effects, Standardized Mean Differences, Z-tests and T-tests, and Drivers of Disparity such as Shapley values, regression coefficients, and sensitivity analysis (NYDFS).

Adverse action notice

Within 15 days of a determination that an applicant cannot be underwritten via an AIS/ECDIS-based process, the insurer must provide written notice including the reason(s) (NYDFS).

Governance

The board of directors is responsible for oversight of AI use. Senior management is responsible for day-to-day implementation with written policies and procedures reviewed at least annually (NYDFS).

For any insurer with material New York exposure, CL No. 7 is the operational standard to hit. It is more prescriptive than the NAIC Model Bulletin on quantitative testing and notice timing.

California CDI SB 1120 (utilization management only)

The California Department of Insurance issued guidance under SB 1120 on the use of AI, algorithms, and other software tools in utilization management for health insurers — not underwriting (California CDI SB 1120 Guidance PDF).

The guidance prohibits decision-support tools from:

• Basing determinations solely on group datasets.
• Supplanting health care provider decision-making.
• Directly or indirectly causing harm to the insured.

Insurers must ensure decision-support tools are open to CDI inspection, must include written disclosures in utilization review policies, and must periodically review tool performance.

Note: there is no California CDI bulletin on underwriting/pricing AI equivalent to NYDFS CL No. 7. The California guidance addresses health-insurance utilization management only. Underwriting/pricing AI in California is governed by the existing Unfair Insurance Practices Act and the general Civil Rights Act prohibitions, plus the broader California Privacy Rights Act and AB 2930 framework (where applicable).

A compliance stack for multi-state insurers

If you write business in Colorado, New York, and at least one NAIC-adopter state, the practical layering:

1. Build to Colorado SB 21-169 as the technical floor. Quantitative bias testing, documented model methodology, demographic data collection, remediation protocols. Treat it as live, not pending.
2. Add NYDFS CL No. 7 elements for any New York book. Three-step assessment, less-discriminatory-alternative search, 15-day adverse-action notice, annual policy review.
3. Wrap both with an NAIC Model Bulletin-style AIS Program. Written governance, Degree-of-Potential-Harm risk tiering, third-party vendor oversight with audit rights. Use the 12-state pilot exam tool template as your documentation guide.
4. For California health business, layer SB 1120 utilization management controls. Provider decision-making preservation, written UM policy disclosures, periodic tool performance review.
5. If you write business in the EU, layer the EU AI Act Article 6(1) high-risk requirements for insurance underwriting AI. See our EU AI Act deadline extension explainer and GDPR Article 22 vs EU AI Act guide.
6. Document your model lifecycle once and reuse. A single technical specification covering data lineage, training methodology, validation testing, bias testing, monitoring, and governance satisfies all four regimes with appendices for state-specific specifics.

For the vendor side, our best AI governance software roundup and insurance AI vendor directory cover the tooling.

One last note. The NAIC AI Systems Evaluation Tool pilot runs through September 2026. The standard template that emerges from it will become the de facto national framework. Build your AIS Program documentation to the pilot tool's structure and you will be ready for whatever comes next.

References

1. Colorado General Assembly. SB24-205. https://leg.colorado.gov/bills/sb24-205
2. WaterStreet Company. Colorado SB 205 Insurance AI. April 9, 2026. https://www.waterstreetcompany.com/colorado-sb-205-insurance-ai/
3. Littler. Colorado's Artificial Intelligence Law Could Be on the Chopping Block. March–May 2026. https://www.littler.com/news-analysis/asap/colorados-artificial-intelligence-law-could-be-chopping-block
4. NYDFS. Insurance Circular Letter No. 7. July 11, 2024. https://www.dfs.ny.gov/industry-guidance/circular-letters/cl2024-07
5. Alston & Bird. NYDFS Issues Final Circular Letter Guidance on AI. August 9, 2024. https://www.alstonprivacy.com/nydfs-issues-final-circular-letter-guidance-on-use-of-ai-in-insurance-underwriting-and-pricing/
6. NAIC. Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. https://content.naic.org/sites/default/files/inline-files/AI%20Model%20Bulletin%20-%20April%202024.pdf
7. InsureReinsure. Wisconsin Becomes 24th State to Adopt NAIC Model Bulletin. March 19, 2025. https://www.insurereinsure.com/2025/03/19/wisconsin-becomes-the-24th-state-to-adopt-the-naic-model-bulletin-on-the-use-of-ais-in-insurance/
8. VerifyWise. NAIC Model Bulletin summary. https://verifywise.ai/ai-governance-library/sector-specific-governance/naic-ai-model-bulletin
9. Plante Moran. How the NAIC AI Model Bulletin Is Evolving. March 24, 2026. https://www.plantemoran.com/explore-our-thinking/insight/2026/03/how-the-naic-ai-model-bulletin-is-evolving
10. Quarles & Brady. Nearly Half of States Have Now Adopted NAIC Model Bulletin. https://www.quarles.com/newsroom/publications/nearly-half-of-states-have-now-adopted-naic-model-bulletin-on-insurers-use-of-ai
11. California CDI. SB 1120 Guidance on AI in Utilization Management. https://www.insurance.ca.gov/0250-insurers/0500-legal-info/0200-regulations/HealthGuidance/upload/SB-1120-1-Guidance-Use-of-Artificial-Intelligence-Algorithms-and-Other-Software-Tools-in-Utilization-Management.pdf